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Refresher: What does SSL give you? 


Confidentiality 


Authentication 


Message 
Integrity 


Non-repudiation 
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Certificates are 
Everywhere 


Public-Facing 
Services 


Internal Services 


-DD 
mw amazon O 
RE webservices 


Google Cloud Platform 


ШЕЙ Microsoft 
ШШ Azure 


Services in Public 
Clouds 
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API 
endpoints 


Machine-to-machine 
communication 
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Evolving security indicators 


Users should expect that the web is safe by default, and they'll be 
warned when there’s an issue’. 


Security Team 
oogle 


Ihttps://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html 
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Timeline of 
Chrome’s === 


© www.bbc.com 


Evolution 


Welcome to BBC.com 


July 2018 (Chrome 68) - All HTTP v 
sites marked 


wm BBC - Homepage x + 
€ С ФО Not Secure | www.bbc.com 


BIBIC) a Sign in 


Welcome to BBC.com 


© Qualys 


Timeline of 
Chrome’s 
Evolution 


Sept 2018 (Chrome 69) - Secure sites 
marked neutral instead of the green 
Secure 


NEN 
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Timeline of 


) 
Chrome's 
e € Œ (O Not secure example.com 
Evolution 
эшч 
Oct 2018 (Chrome 70) - RED Password 
marker if user interacts 
t field 
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Timeline of Chrome’s Evolution 


Eventual treatment of all 
HTTP pages in Chrome: 


A Not secure example.com 
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Schedule to disable 
TLS 1.0/1.1 


« Chrome: Jan 2020 
e Firefox/Safari: March 2020 
e |E: First half of 2020 


TLS 1.3 is faster and removes 
support for insecure features and 
ciohers 
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SSL Pulse 


The Good O Qualys. SSL Labs Home Projects Qualys.com Contact 
* No SHAI or 1024 bit keys Win Ee MM 
SSL Pulse 


SSL Pulse is a continuous and global dashboard for monitoring the quality of SSL / TLS support over time across 150,000 SSL- and TLS-enabled 


The Bad (-35% inadeq uate) websites, based on Alexa's list of the most popular sites in the world. 
КЕ) Monthly Scan: November 02, 2018 
* Expired certificates: ~5,200 


* Expiring in the next 2 weeks: ~4,500 


SSL Security Summary SSL Labs Grade Distribution 


* Weak/Insecure cipher suites: -4,200 Re» 137,502 "B 
е SSLV2/SSLVS: ~15,000 64.3% 49078 7 T Wezel cater ae 


11,492 sites - 0.3 % 


* TLSvl.0: -99,000 (72%) 2 aren o Y E оаа 
88,424 
* RC4 enabled: -22,000 (16%) 
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Security Solution w/o a Certificate 
Management System 
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High-end Security Solution w/o а 
Certificate Management System 
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Tinkering with Security Solutions w/o 
a Certificate Management System 
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Dangers of Incomplete 
Security Solutions 


Actions e Ransomware e Trojan 
Hiding the Initial 
Infection Before the call back to a C&C 


Hiding Data Exfiltration Bypass other controls such as DLP 


© Qualys 


Security Solutions w/o a Certificate 
Management system 
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Current State of Most Organizations 


Limited 
Visibility 


95% of organizations 
don’t know where 
certs are in their 
networks 


Limited ownership 
information 


The unknown is 
difficult to manage 


Expirations Compliance 
Missed 


Certificates from 


Unplanned outages 
unapproved CAs 


Many more “near 


"isses Responding to audits 


are manually intensive 
exercises 


Reliance on 
Manual 
Processes 


Spreadsheets are error 
prone and out-of-date 


Expensive, not scalable 
as certificates increase 


Troubleshooting issues 
is challenging 
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Ponemen 


The average Global 5,000 
company spends about $15 million 
to recover 
from the loss of business due to 
a certificate outage! 


Ihtto://www.csoonline.com/article/2987186/browser-security/ 
expired-certificates-cost-businesses-15-million-per-outage.html 
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Challenges of 
Existing Solutions 


Visibility 


Point tools, increasing effort and ownership costs 


Scalability 


| К f Operational silos 
а С © on Work in on-premises or cloud-only mode 


Require multiple or complex deployments to cover 
large environments 


Maturity 


Most solutions are off-the-shelf vulnerability-only or 
certificate-only “tools” 
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Single Pane of Glass 


What’s DevOps 


doing, | just 
found 5,000 > 
We have no We can’t self-signed Network is 
visibility into inspect certificates! down, 
certificates encrypted p RL g 


outside the 
firewall 


Certificate 
expired 
again! 


traffic 
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Introducing 
Qualys CertView 


Discover, inventory, monitor 
certificates 


Discover, inventory, monitor host 
configurations & vulnerabilities 


Coverage across both on-premises 
and cloud environments 


Renew certificates from the same 
platform 


rtificate View 
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Outage Remediation 


Certificate Grades 


Baseline Normal 
Usage/ 
Full Visibility 


Audits and Compliance 


Certificate Renewal 


Use Cases 


Stop expired certificates from interrupting business 


Find out if your TLS configurations are 
following best practices 


Establish a baseline to be able to detect anomalies 


Achieve audit success and fast remediation 


Renew expiring certificates 
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Key Advantages of Uses the same Qualys scanners 


already deployed for 
Vulnerability Management or 


Qualys CertView Policy Compliance 


Qualys CertView meets much of 
the common use cases in 

e 2 Yuu See version 1.0 - and we're working 
Oh Closing gaps GuICkly 


Certificate Enrollment/Renewal 
Releasing next month 


CERTIFICATES BY ALGORITHM TOP 5 CERTIFICATES BY COMMON NAME 


SHATWIRSA 


Simplified delivery through 
Qualys Cloud Platform - easy 
for existing VM/PC customers to 
cre sre ийт E | trial and deploy 


Attractive Pricing 
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CertView Releases and Roadmap 


Q4 2018* Q2 2019* 
СОС Enroll/Renew (Microsoft CA/ GoDaddy) 
Enroll/Renew(Digicert) ServiceNow CMDB integration 
Approval workflow Deploy on Apache 


Scan Consolidation 


i | 


APIs Cloud Agent support 


| Alerts — Enroll/Renew (Entrust/EJBCA) 
Assign ownership Deploy on IIS 
Enroll/Renew (Comodo/ 


Let'sEncrypt) 
Certificate Validation 
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CertView is free, it's how you use it 
(or not) that will cost you! 


-Anonymous 
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DEMO 


Certificate View 


QUALYS SECURITY CONFERENCE 2018 


@sc. 


Thank You 


Asif Karel 
akarel@qualys.com 


